Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll
-
Size
138KB
-
MD5
10686f63d7d573fc32ea32515050610c
-
SHA1
96d4016d1c24e48871262067023195f2258e3fb1
-
SHA256
4c94988ce5410f5fa622242b0c939946ef3d30ad72f5fa5b1fb0fb2d8f2a6e6b
-
SHA512
291b3df439b1866608be3893b13f622a4b19f21de1794e8eb6642dda0b791b82c0494d428b6aa6fe2414195c6e875e59e406bbbad724ed38783384cf46f69d99
-
SSDEEP
3072:lRB6igBt/cwP9aAnI0wtFEQLOiib3wEzR4rUjS:DXgBlVpnuIwSRq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\gmnvfmet\\osfipmnh.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osfipmnh.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\osfipmnh.exe svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1560 798kOP3 2172 gxdguomqvdxnxutv.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 2996 rundll32.exe 2996 rundll32.exe 1560 798kOP3 1560 798kOP3 1560 798kOP3 1560 798kOP3 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\OsfIpmnh = "C:\\Users\\Admin\\AppData\\Local\\gmnvfmet\\osfipmnh.exe" svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\LogFiles\Cluster\10686f63d7d573fc32ea32515050610c_JaffaCakes118.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1560 798kOP3 Token: SeDebugPrivilege 1560 798kOP3 Token: SeSecurityPrivilege 2640 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeDebugPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2172 gxdguomqvdxnxutv.exe Token: SeLoadDriverPrivilege 2172 gxdguomqvdxnxutv.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2944 wrote to memory of 2996 2944 rundll32.exe 28 PID 2996 wrote to memory of 1560 2996 rundll32.exe 29 PID 2996 wrote to memory of 1560 2996 rundll32.exe 29 PID 2996 wrote to memory of 1560 2996 rundll32.exe 29 PID 2996 wrote to memory of 1560 2996 rundll32.exe 29 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2640 1560 798kOP3 30 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2772 1560 798kOP3 31 PID 1560 wrote to memory of 2172 1560 798kOP3 32 PID 1560 wrote to memory of 2172 1560 798kOP3 32 PID 1560 wrote to memory of 2172 1560 798kOP3 32 PID 1560 wrote to memory of 2172 1560 798kOP3 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\798kOP3"798kOP3"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\gxdguomqvdxnxutv.exe"C:\Users\Admin\AppData\Local\Temp\gxdguomqvdxnxutv.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD547a8ed36d375f91a1b750411d92ead7f
SHA1b46c4f789f25a704169a21b4b7e4d4ecdda62a5d
SHA2567e1f885a67c2b64aa4549a564f1008f4e96f1a2cd351cd62b6d2b44a8dd03626
SHA512c3f43e560d3b499ab3d0444cfc21a18eb0451aff7466760c0719feadeb4d47445af13968b108cd89fc36e619b9297240075f5a1eec6f6319a88c589a4bc872f7